This section describes the fields that appear in the Miscellaneous tab of the Add/Edit Appliance page:
Hosts File. Static DNS mappings to be used internally by the appliance (and to resolve Entitlements). If a hostname is mapped here, a DNS search will not be made for this hostname.
Refer to Sites > Name Resolvers to enable the use of hosts file for resolving the Entitlement actions.
For more information on how Entitlement actions are resolved please refer to Defining Hosts.
Extra Hostnames In Certificates. Add any extra names required. This might for example be useful as this allows HA Gateways and Controllers to exist on the same appliances. HA Controllers require both to have the same name whereas HA Gateways require the names to be different. Both hostnames should resolve to the same IP. Another example might be when each tenant in a multi-tenant collective requires their own 'branded' URL to be used in the Client.
Allow Ping Sources. Ping is not allowed by default. Appliances are cloaked using SPA so Ping should be limited to known IP ranges. To allow an ICMP echo request, the requesting IP address must have a match in Allow Ping Sources. By default the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |
Appliance Customization. Select the customization script to be applied to this Appliance. Appliance Customization scripts can only be run if they have been enabled. This is decided by an option when you create the seed file for the appliance. They can be enabled at any time using cz-config. They need to be uploaded on the Appliance Customizations form first.
Rsyslog Destinations. Rsyslog, which handles outgoing logs in all appliances, can be configured to send copies of logs to remote Syslog-compatible servers. See System Logs for more information about when to use Rsyslog Destinations and when to use LogForwarders instead.
Selector | FACILITY.PRIORITY, where FACILITY is a Syslog facility such as <auth>, <kern> or <user>, and PRIORITY is a Syslog priority such as <info>, <warning> or <error>. Wildcards are supported, e.g. auth.*, *.error, *.* |
Template | Formatting template for each message sent, where %KEYWORD% is replaced by the value of KEYWORD for each message. Example: %syslogtag% %msg% See https://www.rsyslog.com/doc/v8-stable/configuration/templates.html for details. |
Destination | Hostname or IPv4 or IPv6 address, prefixed with @ for UDP or @@ for TCP Example: @192.168.1.25 |
For logs in JSON token format:
Audit logs can be exported in JSON token format. These can then be used in SIEM systems (such as Splunk) that support JSON logging formatting. We tag all logs with [AUDIT] related to user activity (this is what we send to the internal LogServer as well). Enter the following:
Selector | :msg, contains, "[AUDIT]" This filters out all the AUDIT logs |
Template | %msg:9:$%\n This strips the first 9 chars from that message which is the time-stamp + [AUDIT] so what is left is proper JSON that Splunk can auto-parse |
Destination | @@<hostname or IP>:<PORT> Note: @@ specifies TCP, if you want UDP then use @ |
NOTE
The connection will not be encrypted, so it is recommended to do this on a secure network only. For details of how to configure secure log transfer please refer to Configuring secure log transfer via rsyslog
SNMP Server. Check to allow remote monitoring of the appliance through SNMP. The AppGate ZTNA appliance includes its own SNMP MIB which can be downloaded from Settings>Utilities.
Configuration. This text box allows you to insert your SNMP configuration file settings. AppGate ZTNA uses the standard Ubuntu Net-SNMP daemon. Information about generating a configuration file snmpd.conf is available at this website: https://manpages.ubuntu.com/manpages/resolute/en/man5/snmpd.conf.5.html
Here are some examples of simple SNMP configurations:
| Is the default configuration for SNMP and this gives basic read only access to the appliance's SNMP service. |
| This gives basic read only access to the appliance SNMP service for user1. |
| This gives basic read only access to the appliance SNMP service for user2. Make sure the user2password is a minimum of 8 characters long. Do not use this option if the tool you are using requires encryption. |
| This gives read only access to the appliance SNMP service for user3. Make sure the user3password is a minimum of 8 characters long. In this case the command sent from the other end should include: |
Allow Access.
Local TCP/UDP Port. These ports will be opened to allow inbound traffic from the requesting IP address. An example SNMP configuration that will use a different port number:
| This gives basic read only access using tcp 555 and udp 666 instead of the default 161. |
Sources. To allow inbound traffic, the requesting IP address must match at least one of these source addresses. By default the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |
Healthcheck Server. The healthcheck service runs an HTTP server listening on a given port. The service will answer with HTTP 200 if the system is healthy or HTTP 503 (service unavailable) if the system is unhealthy. This can be used to provide healthchecks for load balancers.
Port. The default is port 5555.
Allowed Sources. To allow inbound traffic, the requesting IP address must match at least one of these source addresses. By default the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |
Prometheus Exporter. The Prometheus Exporter runs an HTTP server listening on a given port serving the appliance's Prometheus metrics at GET /metrics. There is a table that provides full details of all the Prometheus metric types available in the AppGate ZTNA appliance.
Metric Data. Select the labels to exclude from the metrics data.
Port. The default is port 5556.
Allow Access. To allow inbound traffic, the requesting IP address must match at least one of these source addresses. By default the list contains 2 entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address: | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length: | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface: | (OPTIONAL: ethX, only allow connections through this interface) |
Enable HTTPS. Allow the use of HTTPS for metrics export. Metrics scraping requires a PKCS#12 file containing a certificate signed by a trusted CA (for the appliance hostname) and the private key; these are required to terminate the inbound HTTPS connection used to scrape the metrics.
HTTPS Certificate (PKCS #12). Allows you to upload a PKCS #12 file which includes a CA signed certificate to allow inbound connections to scrape metrics.
File. Select the PKCS #12 file to upload.
Password. The password for the PKCS #12 file.
See Adding third party certificates for more details
Enable Basic Authentication. Use Basic Authentication (use with HTTPS to avoid exposing credentials).
Allowed Users. Add username and password for allowed users.
Legacy Settings. For upgraded systems only:
System DNS Search Domains. This field should not normally be used as appliances should always use FQDNs.